Because I am a freak, those kinds of attacks are useless on my servers (prefer to do text manipulation instead of using MYSQL) #txtMode4Life #emacs;

however, that person is making sense making those kinds of requests. I have worked in small web hostings companies and let me tell you this. it can easily work !
old backup files here and there. And the funny part is you can figure out ALL the websites the company hosts by looking at its vhosts. (pen testing folks will understand this) and that kind of information is designed to be public anyway (nothing fancy here);